Data protection: Lessons from the EU

Members of the European Parliament take part in a voting session during a plenary session at the European Parliament on 11 December 2018 in Strasbourg, eastern France. (Frederick Florin/ AFP)

In March this year, the world was rocked by the Cambridge Analytica scandal. The United Kingdom (UK) based data analytics and political consulting firm that worked on Donald Trump’s 2016 presidential campaign had obtained data from 87 million Facebook users worldwide without proper permission.


Investigations by the New York Times and The Guardian revealed that in 2014, around 270,000 people agreed to have their data collected through a personality test via a Facebook app for academic purposes. However, due to Facebook’s application programming interface (API) at the time, the app was also able to collect data from friends of the people who took part in the test as well.


Data released by Facebook showed that Cambridge Analytica had access to information of users from the Philippines, Indonesia and Vietnam. Facebook also confirmed that Cambridge Analytica had access to at least one million users in the Philippines and Indonesia and 400,000 users in Vietnam.


This scandal highlighted the concerns that many of us have as internet users. People are giving up their data everyday and there is no guarantee that their data will be protected. It is not just Facebook that is mining our data. In 2015, it was revealed that Google keeps the audio log of users’ voice searches on mobile phones. And in 2017, it was revealed that Google was reportedly tracking the locations of its users even if they turned off location settings on their mobile devices. Besides that, there are countless mobile phone apps today that manipulate their users into giving up their personal information.

Source: Various sources

General Data Protection Regulation


To protect its citizens, the European Parliament passed the General Data Protection Regulation (GDPR) in 2016 that came into force this May. With the implementation of the GDPR, the European Union (EU) hopes that companies that collect personal data of its residents will be held more accountable for their actions. The scope of the GDPR doesn’t just cover EU companies, but also organisations outside the union that offer services to EU residents.


The GDPR is comprehensive, ranging from the various responsibilities corporations have over personal data to the individual’s right to their own data. Under the GDPR, users have stronger control over what data is shared with companies. Users are supposed to be notified and asked for permission before their data can be shared. EU citizens also have the right to request access to review personal information gathered by companies. Infringements by companies under the new regulation could see them getting a fine of up to US$31.7 million or up to 4 percent of an organisation's annual global turnover.


Lessons for ASEAN


ASEAN as a whole has been lagging behind the rest of the world when it comes to protecting the online privacy of its citizens. With the EU tightening up regulations on the continent, companies may seek to exploit the lax regulations in this region. Currently, ASEAN’s digital economy is on the rise. The region has over 200 million internet users and its digital economy is expected to be worth US$200 billion by 2025. Before the inevitable arrival of online companies to the region, ASEAN countries need to get their data protection laws in shape.


Vietnam recently launched a new law that supposedly seeks to protect the data of its citizens. However, under this law, the state has the power to request personal data of users suspected of subversive activities. The intention of protecting its citizens data may be a noble one, however the potential collaboration between a large corporation and the state to combat anti-establishment activities presents a chilling scenario.


Instead, ASEAN needs to take lessons from the EU and come up with a proper framework that truly protects the privacy of its people without emboldening state powers. If ASEAN were to come up with its own regulations over data, it needs to be comprehensive and all-encompassing similar to the one enforced by the EU. However, ASEAN probably cannot afford to impose harsh punishments like those contained in the GDPR as its digital economy is just beginning to take off. Any risks of damaging its digital potential should be avoided for the time being.


The strengthening of ASEAN’s regulation of data would also simplify business processes. Data-trading and e-commerce is a growing industry and irregularities throughout the region would only stunt such growth. Furthermore, in January, the EU endorsed horizontal provisions for cross-border data flows and personal data protection in trade negotiations. This means that it is likely that deals that involve any flow of data would require the country dealing with the EU to have similar regulations to that of the GDPR.


Just as the internet is not limited to traditional borders, the laws governing it must transcend borders too.


Related articles:

Data localisation in Southeast Asia

Growing concerns for Internet freedom in Southeast Asia